Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 25 to 25 | ||||||||
CUIT![]() | ||||||||
Changed: | ||||||||
< < | servers to assign IP names to individual system (e.g., 129.236.252.8 | |||||||
> > | servers to assign IP names to individual systems (e.g., 129.236.252.8 | |||||||
has the name franklin.nevis.columbia.edu ).
Access to systems on the Nevis network by the rest of the Internet (the "outside") is restricted to some extent by our firewall policy; e.g., we only permit access via ssh![]() | ||||||||
Line: 67 to 67 | ||||||||
When systems on the private network access the outside world (e.g., if
someone on eeyore logs into CERN![]() | ||||||||
Changed: | ||||||||
< < | appears to come from address 129.236.255.57, the "outside" IP address | |||||||
> > | appears to come from address 129.236.255.60, the "outside" IP address | |||||||
of our firewall. This is called "IP masquerading" or "Network
Adddress Translation." Outside users cannot login or otherwise access
this dummy address; such attempts are blocked by the firewall.
Examples of Nevis systems on the private network are:
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
The private network has a limitation: for a machine to be on the private network, it must be connected to a switch that is set up using |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 24 to 24 | ||||||||
CUIT![]() | ||||||||
Changed: | ||||||||
< < | firewall to control access to the public network, and our own DNS![]() | |||||||
> > | firewall to control access to the public network, and our own DNS | |||||||
servers to assign IP names to individual system (e.g., 129.236.252.8
has the name franklin.nevis.columbia.edu ). |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 52 to 52 | ||||||||
any of the systems on the private network.
Here's a more specific example. Consider two systems: kolya.nevis.columbia.edu | ||||||||
Changed: | ||||||||
< < | with IP address 129.236.252.83 , and student40.nevis.columbia.edu
with IP address 10.44.40.40 . The former system is | |||||||
> > | with IP address 129.236.252.83 , and eeyore.nevis.columbia.edu
with IP address 10.44.40.67 . The former system is | |||||||
on the public network, the latter system is on the private network. A
user logged into kolya can ssh![]() | ||||||||
Changed: | ||||||||
< < | student40 , and vice versa. A user at CERN![]() ![]() kolya , but not to student40 ; if there was a critical
need to login to student40 from CERN![]() kolya first, then login to student40 from there. | |||||||
> > | eeyore , and vice versa. A user at CERN![]() ![]() kolya , but not to eeyore ; if there was a critical
need to login to eeyore from CERN![]() kolya first, then login to eeyore from there. | |||||||
(Note that because of automount, | ||||||||
Changed: | ||||||||
< < | there's actually little need to login to student40 directly; | |||||||
> > | there's actually little need to login to eeyore directly; | |||||||
this example would be more relevant for systems that were not part of
the Linux cluster![]() | ||||||||
Changed: | ||||||||
< < | someone on student40 logs into CERN![]() | |||||||
> > | someone on eeyore logs into CERN![]() | |||||||
appears to come from address 129.236.255.57, the "outside" IP address of our firewall. This is called "IP masquerading" or "Network Adddress Translation." Outside users cannot login or otherwise access | ||||||||
Line: 74 to 74 | ||||||||
Examples of Nevis systems on the private network are:
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Line: 143 to 143 | ||||||||
The systems in the Annex are not part of the Nevis public network, so
they cannot access the individual systems in the Nevis private
network; e.g., you can't login from merlin.phys.columbia.edu | ||||||||
Changed: | ||||||||
< < | to student40.nevis.columbia.edu , or use automount
to access /a/data/student40 . | |||||||
> > | to eeyore.nevis.columbia.edu , or use automount
to access /a/data/eeyore . | |||||||
Ping, Traceroute, and the Firewall |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 18 to 18 | ||||||||
talking to a firewall expert) consists of the IP addresses 129.236.252.XXX, where XXX ranges from 0 to 255. These 256 addresses are a "class C" network, which means only the fourth field, or the | ||||||||
Changed: | ||||||||
< < | final "octat," is variable within the network. This address range | |||||||
> > | final "octet," is variable within the network. This address range | |||||||
was assigned to the particle-physics research group at Nevis by
Columbia University Information Technology ("CUIT")![]() | ||||||||
Line: 51 to 51 | ||||||||
a system on the outside, but a system on the outside cannot ssh![]() | ||||||||
Changed: | ||||||||
< < | Here's a more specific example. Consider two systems: =kolya.nevis.columbia.edu=
with IP address 129.236.252.83 , and =student40.nevis.columbia.edu=![]() | |||||||
> > | Here's a more specific example. Consider two systems: kolya.nevis.columbia.edu
with IP address 129.236.252.83 , and student40.nevis.columbia.edu | |||||||
with IP address 10.44.40.40 . The former system is
on the public network, the latter system is on the private network. A
user logged into kolya can ssh![]() |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Added: | ||||||||
> > | ||||||||
This web page contains a discussion of the Nevis network environment,
including some of the traffic restrictions imposed by the Nevis
firewall![]() | ||||||||
Deleted: | ||||||||
< < | ||||||||
The Nevis Public Network (129.236.252 / 24)The Nevis public network (call it the "inside" network if you're |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 26 to 26 | ||||||||
servers to assign IP names to individual system (e.g., 129.236.252.8
has the name franklin.nevis.columbia.edu ). | ||||||||
Changed: | ||||||||
< < | Access to systems on the Nevis network by the rest of the Internet
(the "outside") is restricted to some extent by our firewall policy;
e.g., we only permit access via ssh![]() | |||||||
> > | Access to systems on the Nevis network by the rest of the Internet (the "outside") is restricted to some extent by our firewall policy; e.g., we only permit access via ssh![]() | |||||||
Any system on the Nevis public network is constantly being probed by the outside world. Every port is checked for vulnerabilities. Attempts are being made to login to every account with a well-known name, with all obvious password combinations. | ||||||||
Line: 139 to 134 | ||||||||
where ZZZ ranges from 64 through 127; this is a "sub-octet" of 64
addresses. The network management in that area (including DHCP![]() ![]() | ||||||||
Changed: | ||||||||
< < | few Nevis-specific network services, such as CUPS![]() | |||||||
> > | few Nevis-specific network services, such as CUPS | |||||||
and NIS![]() annex.phys.columbia.edu .) |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 33 to 33 | ||||||||
However, it is best to be cautious when formulating a network security policy, so you should assume the following: | ||||||||
Changed: | ||||||||
< < | Any system on the Nevis _public network is constantly being probed by the outside world. Every port is checked for vulnerabilities. Attempts are being made to login to every account with a well-known name, with all obvious password combinations._ | |||||||
> > | Any system on the Nevis public network is constantly being probed by the outside world. Every port is checked for vulnerabilities. Attempts are being made to login to every account with a well-known name, with all obvious password combinations. | |||||||
This means that for a system to be on the public network, it should offer some service outside of Nevis (e.g., the Nevis web server), or there is a need to login directly to the system from the outside. | ||||||||
Changed: | ||||||||
< < | Otherwise it is probably best for the system to be on the private | |||||||
> > | Otherwise it is probably best for the system to be on the private | |||||||
network.
The Nevis Private Network (10.44 / 16) | ||||||||
Changed: | ||||||||
< < | The Nevis "private" network (also known as our "local" network) | |||||||
> > | The Nevis private network (also known as our "local" network) | |||||||
consists of the IP address range 10.44.XXX.YYY, where both XXX and YYY can vary from 0 to 255; this is called a "class B" network, and has 65536 possible IP addresses. These IP addresses are only visible behind the Nevis firewall; that is, on the public and private networks. The outside world cannot | ||||||||
Changed: | ||||||||
< < | access them directly; a system on the private network can ssh![]() | |||||||
> > | access them directly; a system on the private network can ssh![]() | |||||||
a system on the outside, but a system on the outside cannot ssh![]() | ||||||||
Changed: | ||||||||
< < | any of the systems on the private network. | |||||||
> > | any of the systems on the private network. | |||||||
Here's a more specific example. Consider two systems: =kolya.nevis.columbia.edu=
with IP address 129.236.252.83 , and =student40.nevis.columbia.edu=![]() 10.44.40.40 . The former system is | ||||||||
Changed: | ||||||||
< < | on the public network, the latter system is on the private network. A | |||||||
> > | on the public network, the latter system is on the private network. A | |||||||
user logged into kolya can ssh![]() student40 , and vice versa. A user at CERN![]() ![]() kolya , but not to student40 ; if there was a critical | ||||||||
Line: 68 to 68 | ||||||||
this example would be more relevant for systems that were not part of
the Linux cluster![]() | ||||||||
Changed: | ||||||||
< < | When systems on the private network access the outside world (e.g., if | |||||||
> > | When systems on the private network access the outside world (e.g., if | |||||||
someone on student40 logs into CERN![]() | ||||||||
Changed: | ||||||||
< < | Examples of Nevis systems on the private network are: | |||||||
> > | Examples of Nevis systems on the private network are: | |||||||
Changed: | ||||||||
< < | The private network has a limitation: for a machine to be on the | |||||||
> > | The private network has a limitation: for a machine to be on the | |||||||
private network, it must be connected to a switch that is set up using VLANs for the Nevis networks. That means if that if all the boxes in a room are connected through the same hub, they must all either be on the public | ||||||||
Changed: | ||||||||
< < | or the private network. Offices with a separate ethernet port for each | |||||||
> > | or the private network. Offices with a separate ethernet port for each | |||||||
machine (which includes all the faculty and administrative offices)
can have each port individually assigned to a network.
Security note | ||||||||
Changed: | ||||||||
< < | One apparent advantage of the private network is that, since | |||||||
> > | One apparent advantage of the private network is that, since | |||||||
systems on this network cannot be probed by outside attackers, there is less need to be as "paranoid" about security issues on such systems. However, there are still other avenues of attack on the | ||||||||
Changed: | ||||||||
< < | private network: | |||||||
> > | private network: | |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < | systems, even those on the private network. | |||||||
> > | systems, even those on the private network. | |||||||
Changed: | ||||||||
< < | The Nevis Sandbox (10.43 / 16) and Wireless Networks (192.168.N.X / 24) | |||||||
> > | The Nevis Sandbox (10.43 / 16) Network | |||||||
With both public and private networks, why do we need yet another network at Nevis? The public network is for devices at Nevis that can be | ||||||||
Line: 121 to 121 | ||||||||
laptops. Therefore, to the extent that it's possible, we place laptops in the | ||||||||
Changed: | ||||||||
< < | "sandbox" network. In the sandbox, the laptops can "play with each | |||||||
> > | sandbox network. In the sandbox, the laptops can "play with each | |||||||
other" and potentially infect each other if they're not well-maintained. However, these systems have no special access to Nevis services; they see the Nevis networks in the same way as a system outside of Nevis. | ||||||||
Changed: | ||||||||
< < | In particular, the wireless access points at Nevis are all in the "sandbox" network. They are assigned addresses in the range | |||||||
> > | In particular, the wireless access points at Nevis are all in the sandbox network. They are assigned addresses in the range | |||||||
10.43.XXX.YYY, where XXX and YYY can each vary from 0 to 255. | ||||||||
Deleted: | ||||||||
< < | Several wireless routers have been installed on the upper floor
of the Nevis particle-physics research building, and more may be
installed in the future in any location in which laptops are in common
use.
Each wireless router has its own IP address, and
each is its own separate DHCP![]() 10.43.2.N , the DHCP addresses it offers are in
the range 192.168.N.XXX, where XXX is from 2 to 100.
The purpose of this arrangement is to make it easier to find out which
wireless router your laptop is using. For example, if your laptop has
been assigned the IP address 192.168.5.4, then it's getting its
wireless signal from the router at 10.43.2.5 =
wireless-library.nevis.columbia.edu , the wireless access point in
the Nevis library. | |||||||
The Nevis Annex Network (128.59.170.64 / 26) | ||||||||
Line: 160 to 144 | ||||||||
are handled by a local server, annex.phys.columbia.edu .)
The systems in the Annex are not part of the Nevis public network, so | ||||||||
Changed: | ||||||||
< < | they cannot access the individual systems in the Nevis private | |||||||
> > | they cannot access the individual systems in the Nevis private | |||||||
network; e.g., you can't login from merlin.phys.columbia.edu
to student40.nevis.columbia.edu , or use automount
to access /a/data/student40 . | ||||||||
Line: 182 to 166 | ||||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
What's all this stuff about VLANs? | ||||||||
Line: 198 to 182 | ||||||||
A VLAN is a way for more than one independent network to travel along a device, including a router, switch or even a single ethernet cable. | ||||||||
Changed: | ||||||||
< < | At Nevis, there are three independent networks: public, private-, and _sandbox. Therefore, we have three VLANs, numbered | |||||||
> > | At Nevis, there are three independent networks: public, private, and sandbox. Therefore, we have three VLANs, numbered | |||||||
1, 2, and 3 respectively. As far as Nevis is concerned, all VLANs are port-based; in turn, a port-based VLAN can be |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Nevis Networks and Firewall Restrictions | ||||||||
Line: 12 to 12 | ||||||||
The Nevis Public Network (129.236.252 / 24) | ||||||||
Changed: | ||||||||
< < | The Nevis "public" network (call it the "inside" network if you're | |||||||
> > | The Nevis public network (call it the "inside" network if you're | |||||||
talking to a firewall expert) consists of the IP addresses 129.236.252.XXX, where XXX ranges from 0 to 255. These 256 addresses are a "class C" network, which means only the fourth field, or the | ||||||||
Line: 22 to 22 | ||||||||
CUIT![]() | ||||||||
Changed: | ||||||||
< < | firewall to control access to the public network, and our own DNS![]() | |||||||
> > | firewall to control access to the public network, and our own DNS![]() | |||||||
servers to assign IP names to individual system (e.g., 129.236.252.8
has the name franklin.nevis.columbia.edu ). | ||||||||
Line: 33 to 33 | ||||||||
However, it is best to be cautious when formulating a network security policy, so you should assume the following: | ||||||||
Changed: | ||||||||
< < | Any system on the Nevis public network is constantly being probed by the outside world. Every port is checked for vulnerabilities. Attempts are being made to login to every account with a well-known name, with all obvious password combinations. | |||||||
> > | Any system on the Nevis _public network is constantly being probed by the outside world. Every port is checked for vulnerabilities. Attempts are being made to login to every account with a well-known name, with all obvious password combinations._ | |||||||
Changed: | ||||||||
< < | This means that for a system to be on the public network, it should | |||||||
> > | This means that for a system to be on the public network, it should | |||||||
offer some service outside of Nevis (e.g., the Nevis web server), or there is a need to login directly to the system from the outside. Otherwise it is probably best for the system to be on the private | ||||||||
Line: 49 to 49 | ||||||||
possible IP addresses. These IP addresses are only visible behind the Nevis firewall; that | ||||||||
Changed: | ||||||||
< < | is, on the public and private networks. The outside world cannot | |||||||
> > | is, on the public and private networks. The outside world cannot | |||||||
access them directly; a system on the private network can ssh![]() ![]() | ||||||||
Line: 57 to 57 | ||||||||
Here's a more specific example. Consider two systems: =kolya.nevis.columbia.edu=
with IP address 129.236.252.83 , and =student40.nevis.columbia.edu=![]() 10.44.40.40 . The former system is | ||||||||
Changed: | ||||||||
< < | on the public network, the latter system is on the private network. A | |||||||
> > | on the public network, the latter system is on the private network. A | |||||||
user logged into kolya can ssh![]() student40 , and vice versa. A user at CERN![]() ![]() kolya , but not to student40 ; if there was a critical | ||||||||
Line: 84 to 84 | ||||||||
private network, it must be connected to a switch that is set up using VLANs for the Nevis networks. That means if that if all the boxes in a room are | ||||||||
Changed: | ||||||||
< < | connected through the same hub, they must all either be on the public | |||||||
> > | connected through the same hub, they must all either be on the public | |||||||
or the private network. Offices with a separate ethernet port for each machine (which includes all the faculty and administrative offices) can have each port individually assigned to a network. | ||||||||
Line: 100 to 100 | ||||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
Therefore, it's important to maintain an awareness of security on all
systems, even those on the private network.
The Nevis Sandbox (10.43 / 16) and Wireless Networks (192.168.N.X / 24) | ||||||||
Changed: | ||||||||
< < | With both public and private networks, why do we need yet another network at Nevis? The public network is for devices at Nevis that can be accessed by the outside world (e.g., workgroup servers); the private | |||||||
> > | With both public and private networks, why do we need yet another network at Nevis? The public network is for devices at Nevis that can be accessed by the outside world (e.g., workgroup servers); the private | |||||||
network is for devices that have an individual network identity at Nevis but don't need to be accessed by the outside world (e.g,. compute nodes). | ||||||||
Line: 159 to 159 | ||||||||
and NIS![]() annex.phys.columbia.edu .) | ||||||||
Changed: | ||||||||
< < | The systems in the Annex are not part of the Nevis public network, so | |||||||
> > | The systems in the Annex are not part of the Nevis public network, so | |||||||
they cannot access the individual systems in the Nevis private
network; e.g., you can't login from merlin.phys.columbia.edu
to student40.nevis.columbia.edu , or use automount | ||||||||
Line: 179 to 179 | ||||||||
To provide a balance between diagnosing network problems and preventing attackers from flooding our network, the following policy is in place: | ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Changed: | ||||||||
< < |
| |||||||
> > |
| |||||||
| ||||||||
Line: 198 to 198 | ||||||||
A VLAN is a way for more than one independent network to travel along a device, including a router, switch or even a single ethernet cable. | ||||||||
Changed: | ||||||||
< < | At Nevis, there are three independent networks: public, private, and sandbox. Therefore, we have three VLANs, numbered | |||||||
> > | At Nevis, there are three independent networks: public, private-, and _sandbox. Therefore, we have three VLANs, numbered | |||||||
1, 2, and 3 respectively. As far as Nevis is concerned, all VLANs are port-based; in turn, a port-based VLAN can be | ||||||||
Line: 243 to 243 | ||||||||
This implies that if the firewall goes down, the different VLANs cannot communicate with each other. (This is not strictly true; most | ||||||||
Changed: | ||||||||
< < | of the workgroup servers have connections to both the public and private networks | |||||||
> > | of the workgroup servers have connections to both the public and private networks | |||||||
through their two Ethernet ports.) That is why, in the event of a power outage, the automatic power-monitoring software on the cluster will shut down all the systems if the firewall's power supply is getting low. |
Line: 1 to 1 | ||||||||
---|---|---|---|---|---|---|---|---|
Added: | ||||||||
> > |
Nevis Networks and Firewall RestrictionsThis web page contains a discussion of the Nevis network environment, including some of the traffic restrictions imposed by the Nevis firewall![]() The Nevis Public Network (129.236.252 / 24)The Nevis "public" network (call it the "inside" network if you're talking to a firewall expert) consists of the IP addresses 129.236.252.XXX, where XXX ranges from 0 to 255. These 256 addresses are a "class C" network, which means only the fourth field, or the final "octat," is variable within the network. This address range was assigned to the particle-physics research group at Nevis by Columbia University Information Technology ("CUIT")![]() ![]() ![]() franklin.nevis.columbia.edu ).
Access to systems on the Nevis network by the rest of the Internet
(the "outside") is restricted to some extent by our firewall policy;
e.g., we only permit access via ssh![]() The Nevis Private Network (10.44 / 16)The Nevis "private" network (also known as our "local" network) consists of the IP address range 10.44.XXX.YYY, where both XXX and YYY can vary from 0 to 255; this is called a "class B" network, and has 65536 possible IP addresses. These IP addresses are only visible behind the Nevis firewall; that is, on the public and private networks. The outside world cannot access them directly; a system on the private network can ssh![]() ![]() 129.236.252.83 , and =student40.nevis.columbia.edu=![]() 10.44.40.40 . The former system is
on the public network, the latter system is on the private network. A
user logged into kolya can ssh![]() student40 , and vice versa. A user at CERN![]() ![]() kolya , but not to student40 ; if there was a critical
need to login to student40 from CERN![]() kolya first, then login to student40 from there.
(Note that because of automount,
there's actually little need to login to student40 directly;
this example would be more relevant for systems that were not part of
the Linux cluster![]() student40 logs into CERN![]()
Security noteOne apparent advantage of the private network is that, since systems on this network cannot be probed by outside attackers, there is less need to be as "paranoid" about security issues on such systems. However, there are still other avenues of attack on the private network:
The Nevis Sandbox (10.43 / 16) and Wireless Networks (192.168.N.X / 24)With both public and private networks, why do we need yet another network at Nevis? The public network is for devices at Nevis that can be accessed by the outside world (e.g., workgroup servers); the private network is for devices that have an individual network identity at Nevis but don't need to be accessed by the outside world (e.g,. compute nodes). There is another class of device: Machines that are brought into Nevis, but are not maintained at Nevis, that don't require access by the outside world, and for which for security reasons should be kept isolated from the rest of the Nevis networks. Primarily, these are laptops. Therefore, to the extent that it's possible, we place laptops in the "sandbox" network. In the sandbox, the laptops can "play with each other" and potentially infect each other if they're not well-maintained. However, these systems have no special access to Nevis services; they see the Nevis networks in the same way as a system outside of Nevis. In particular, the wireless access points at Nevis are all in the "sandbox" network. They are assigned addresses in the range 10.43.XXX.YYY, where XXX and YYY can each vary from 0 to 255. Several wireless routers have been installed on the upper floor of the Nevis particle-physics research building, and more may be installed in the future in any location in which laptops are in common use. Each wireless router has its own IP address, and each is its own separate DHCP![]() 10.43.2.N , the DHCP addresses it offers are in
the range 192.168.N.XXX, where XXX is from 2 to 100.
The purpose of this arrangement is to make it easier to find out which
wireless router your laptop is using. For example, if your laptop has
been assigned the IP address 192.168.5.4, then it's getting its
wireless signal from the router at 10.43.2.5 =
wireless-library.nevis.columbia.edu , the wireless access point in
the Nevis library.
The Nevis Annex Network (128.59.170.64 / 26)The Nevis Annex![]() ![]() ![]() ![]() ![]() annex.phys.columbia.edu .)
The systems in the Annex are not part of the Nevis public network, so
they cannot access the individual systems in the Nevis private
network; e.g., you can't login from merlin.phys.columbia.edu
to student40.nevis.columbia.edu , or use automount
to access /a/data/student40 .
Ping, Traceroute, and the FirewallCommands such as ping![]() ![]() ![]()
What's all this stuff about VLANs?I assume you got here because you saw a label or notice referring to a VLAN![]() ![]() ![]()
|